Spring 即使未指定和关闭也使用 CSRF 令牌的安全性
Spring Security using CSRF token even though not specified and turned off
对于我的项目,我正在尝试制作一个可以执行 POST、GET 和 DELETE 请求的简单服务。我对 CSRF 添加的额外安全层不感兴趣,所以我希望将其关闭。我知道默认情况下它应该关闭,但它似乎没有表现。每次我发出 post 请求时,它都会给我以下输出:
/users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.security.web.FilterChainProxy : /users/insert at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/users/insert
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6c3a524b
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
如果我发出 GET 请求,它工作正常。
我的pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.webservices</groupId>
<artifactId>restservice</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>restservice</name>
<description>Rest webservice</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-hateoas</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>5.3.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
在我的 application.properties 中,我已经尝试 security.enable.csrf=false
,但它不起作用。
默认启用 CSRF 保护。默认情况下,无法通过在 application.properties 中配置来禁用 csrf 功能。正如 Patel 指出的那样,这必须通过在 HttpSecurity 配置上禁用 csrf 来完成。
请参阅 https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf-configure-disable 了解如何使用 XML 或 Java 配置执行此操作。
您可以在 java 配置中使用 @Value 创建自己的 application.properties 条目。例如
@Value("${security.enable.csrf}") private boolean csrfEnabled;
Patel Romil 的回答解决了我的问题!
Have you added the csrf.disable() in configure(HttpSecurity http) method?
CSRF 代表 Cross-Site Request Forgery,在使用Spring安全如下,
public CsrfConfigurer<HttpSecurity> csrf() throws Exception {
ApplicationContext context = getContext();
return getOrApply(new CsrfConfigurer<>(context));
}
完全禁用
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()...
}
部分启用
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")...
}
包含 CSRF
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
}
您可能想在此处探索更多详细信息
对于我的项目,我正在尝试制作一个可以执行 POST、GET 和 DELETE 请求的简单服务。我对 CSRF 添加的额外安全层不感兴趣,所以我希望将其关闭。我知道默认情况下它应该关闭,但它似乎没有表现。每次我发出 post 请求时,它都会给我以下输出:
/users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.security.web.FilterChainProxy : /users/insert at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/users/insert
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6c3a524b
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
如果我发出 GET 请求,它工作正常。
我的pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.webservices</groupId>
<artifactId>restservice</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>restservice</name>
<description>Rest webservice</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-hateoas</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>5.3.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
在我的 application.properties 中,我已经尝试 security.enable.csrf=false
,但它不起作用。
默认启用 CSRF 保护。默认情况下,无法通过在 application.properties 中配置来禁用 csrf 功能。正如 Patel 指出的那样,这必须通过在 HttpSecurity 配置上禁用 csrf 来完成。
请参阅 https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf-configure-disable 了解如何使用 XML 或 Java 配置执行此操作。
您可以在 java 配置中使用 @Value 创建自己的 application.properties 条目。例如
@Value("${security.enable.csrf}") private boolean csrfEnabled;
Patel Romil 的回答解决了我的问题!
Have you added the csrf.disable() in configure(HttpSecurity http) method?
CSRF 代表 Cross-Site Request Forgery,在使用Spring安全如下,
public CsrfConfigurer<HttpSecurity> csrf() throws Exception {
ApplicationContext context = getContext();
return getOrApply(new CsrfConfigurer<>(context));
}
完全禁用
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()...
}
部分启用
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")...
}
包含 CSRF
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
}
您可能想在此处探索更多详细信息